Skip to content

Commit

Permalink
add tcp_router.backend_tls.enable flag
Browse files Browse the repository at this point in the history 
Signed-off-by: Geoff Franks <geoff.franks@broadcom.com>
  • Loading branch information
@ameowlia
ameowlia committed Jul 9, 2024
1 parent 44bf426 commit b501fc2
Show file tree
Hide file tree
Showing 3 changed files with 177 additions and 60 deletions.
6 changes: 6 additions & 0 deletions jobs/tcp_router/spec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,12 @@ properties:
default: "1m"
tcp_router.oauth_secret:
description: "OAuth client secret used to obtain token for Routing API from UAA."
tcp_router.backend_tls.enabled:
description: |
Turns on support for TLS for TCP Router. Requires tcp_router.backend_tls.ca_cert to
be set. For mTLS also set tcp_router.backend_tls.client_cert and
tcp_router.backend_tls.client_key.
default: false
tcp_router.backend_tls.client_cert:
description: "TCP Router's TLS client cert used for mTLS with route backends"
tcp_router.backend_tls.client_key:
Expand Down
40 changes: 22 additions & 18 deletions jobs/tcp_router/templates/tcp_router.yml.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,28 +59,32 @@ haproxy_pid_file: "/var/vcap/data/tcp_router/config/haproxy.pid"
isolation_segments: <%= p("tcp_router.isolation_segments") %>
reserved_system_component_ports: <%= reserved_system_component_ports %>
<%
ca_cert = p('tcp_router.backend_tls.ca_cert', '').strip
client_cert = p('tcp_router.backend_tls.client_cert', '').strip
client_key = p('tcp_router.backend_tls.client_key', '').strip
backend_tls_enabled = p('tcp_router.backend_tls.enabled')

if ca_cert == '' and client_cert != ''
raise 'tcp_router.backend_tls.client_cert was specified, but tcp_router.backend_tls.ca_cert was not provided'
end
if ca_cert == '' and client_key != ''
raise 'tcp_router.backend_tls.client_key was specified, but tcp_router.backend_tls.ca_cert was not provided'
end
if client_cert == '' and client_key != ''
raise 'tcp_router.backend_tls.client_key was specified, but tcp_router.backend_tls.client_cert was not provided'
end
if client_key == '' and client_cert != ''
raise 'tcp_router.backend_tls.client_cert was specified, but tcp_router.backend_tls.client_key was not provided'
end
if backend_tls_enabled
ca_cert = p('tcp_router.backend_tls.ca_cert', '').strip
client_cert = p('tcp_router.backend_tls.client_cert', '').strip
client_key = p('tcp_router.backend_tls.client_key', '').strip

if ca_cert == ''
raise 'tcp_router.backend_tls.enabled was set to true, but tcp_router.backend_tls.ca_cert was not provided'
end

if client_cert == '' and client_key != ''
raise 'tcp_router.backend_tls.enabled was set to true, tcp_router.backend_tls.client_key was set, but tcp_router.backend_tls.client_cert was not provided'
end

if client_key == '' and client_cert != ''
raise 'tcp_router.backend_tls.enabled was set to true, tcp_router.backend_tls.client_cert was set, but tcp_router.backend_tls.client_key was not provided'
end
end
-%>
<% if ca_cert != '' -%>

backend_tls:
enabled: <%= backend_tls_enabled %>
<% if backend_tls_enabled %>
ca_cert_path: "/var/vcap/jobs/tcp_router/config/certs/tcp-router/backend/ca.crt"
<% if client_cert != '' -%>
<% if client_cert != '' and client_key != '' %>
client_cert_and_key_path: "/var/vcap/jobs/tcp_router/config/keys/tcp-router/backend/client_cert_and_key.pem"
<% end -%>
<% end %>
<% end -%>
191 changes: 149 additions & 42 deletions spec/tcp_router_templates_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -304,6 +304,7 @@
'port' => 1000,
'skip_ssl_validation' => false
},
'backend_tls' => { 'enabled' => false },
'reserved_system_component_ports' => [8080, 8081],
'routing_api' => {
'uri' => 'https://routing-api.service.cf.internal',
Expand All @@ -316,97 +317,203 @@
end

describe 'tcp_router.backend_tls' do
describe 'when a CA is provided' do
describe 'when disabled' do
let :backend_tls do
{
'enabled' => false,
'ca_cert' => 'meowca',
'client_cert' => 'meowcert',
'client_key' => 'meowkey',
}
end

it 'does not set the CA path or client cert/key path' do
expect(rendered_config['backend_tls']).to eq({
'enabled' => false,
})
end
end
describe 'when enabled' do
describe 'when CA is a whitespace-only string' do
let :backend_tls do
{
'ca_cert' => 'ca cert',
'enabled' => true,
'ca_cert' => ' ',
}
end

it 'renders the backend_tls properties' do
expect(rendered_config['backend_tls']).to eq({
'ca_cert_path' => '/var/vcap/jobs/tcp_router/config/certs/tcp-router/backend/ca.crt',
})
it 'throws an error' do
expect { rendered_config }.to raise_error(
RuntimeError,
'tcp_router.backend_tls.enabled was set to true, but tcp_router.backend_tls.ca_cert was not provided',
)
end
end
describe 'when CA is not provided' do
let :backend_tls do
{
'enabled' => true,
}
end
it 'throws an error' do
expect { rendered_config }.to raise_error(
RuntimeError,
'tcp_router.backend_tls.enabled was set to true, but tcp_router.backend_tls.ca_cert was not provided',
)
end
end

describe 'when client cert/keys are provided' do

describe 'when a CA is provided' do
let :backend_tls do
{
'enabled' => true,
'ca_cert' => 'ca cert',
'client_cert' => 'client cert',
'client_key' =>'client key',
}
end

it 'renders the backend_tls properties' do
expect(rendered_config['backend_tls']).to eq({
'enabled' => true,
'ca_cert_path' => '/var/vcap/jobs/tcp_router/config/certs/tcp-router/backend/ca.crt',
'client_cert_and_key_path' => '/var/vcap/jobs/tcp_router/config/keys/tcp-router/backend/client_cert_and_key.pem',
})
end

end
describe 'when client cert/keys are provided' do
let :backend_tls do
{
'enabled' => true,
'ca_cert' => 'ca cert',
'client_cert' => 'client cert',
'client_key' =>'client key',
}
end

it 'renders the backend_tls properties' do
expect(rendered_config['backend_tls']).to eq({
'enabled' => true,
'ca_cert_path' => '/var/vcap/jobs/tcp_router/config/certs/tcp-router/backend/ca.crt',
'client_cert_and_key_path' => '/var/vcap/jobs/tcp_router/config/keys/tcp-router/backend/client_cert_and_key.pem',
})
end
end

describe 'when a client cert is provided but not a key' do
let :backend_tls do
{
'ca_cert' => 'ca cert',
'client_cert' => 'client cert',
}
describe 'when a client cert is provided but not a key' do
let :backend_tls do
{
'enabled' => true,
'ca_cert' => 'ca cert',
'client_cert' => 'client cert',
}
end

it 'throws an error' do
expect { rendered_config }.to raise_error(
RuntimeError,
'tcp_router.backend_tls.enabled was set to true, tcp_router.backend_tls.client_cert was set, but tcp_router.backend_tls.client_key was not provided',
)
end
end

it 'throws an error' do
expect { rendered_config }.to raise_error(
RuntimeError,
'tcp_router.backend_tls.client_cert was specified, but tcp_router.backend_tls.client_key was not provided',
)
describe 'when client cert is provided but key is a whitespace-only string' do
let :backend_tls do
{
'enabled' => true,
'ca_cert' => 'ca cert',
'client_cert' => 'client cert',
'client_key' => ' ',
}
end

it 'throws an error' do
expect { rendered_config }.to raise_error(
RuntimeError,
'tcp_router.backend_tls.enabled was set to true, tcp_router.backend_tls.client_cert was set, but tcp_router.backend_tls.client_key was not provided',
)
end
end
end

describe 'when a client key is provided but not a cert' do
let :backend_tls do
{
'ca_cert' => 'ca cert',
'client_key' =>'client key',
}
describe 'when a client key is provided but not a cert' do
let :backend_tls do
{
'enabled' => true,
'ca_cert' => 'ca cert',
'client_key' =>'client key',
}
end

it 'throws an error' do
expect { rendered_config }.to raise_error(
RuntimeError,
'tcp_router.backend_tls.enabled was set to true, tcp_router.backend_tls.client_key was set, but tcp_router.backend_tls.client_cert was not provided',
)
end
end

it 'throws an error' do
expect { rendered_config }.to raise_error(
RuntimeError,
'tcp_router.backend_tls.client_key was specified, but tcp_router.backend_tls.client_cert was not provided',
)
describe 'when client key is provided but cert is a whitespace-only string' do
let :backend_tls do
{
'enabled' => true,
'ca_cert' => 'ca cert',
'client_cert' => ' ',
'client_key' =>'client key',
}
end

it 'throws an error' do
expect { rendered_config }.to raise_error(
RuntimeError,
'tcp_router.backend_tls.enabled was set to true, tcp_router.backend_tls.client_key was set, but tcp_router.backend_tls.client_cert was not provided',
)
end
end
end
end

describe 'when a client cert is provided but not the CA' do
describe 'when a client cert is provided but not the CA' do
let :backend_tls do
{
'enabled' => true,
'client_cert' => 'client cert',
}
end

it 'throws an error' do
expect { rendered_config }.to raise_error(
RuntimeError,
'tcp_router.backend_tls.enabled was set to true, but tcp_router.backend_tls.ca_cert was not provided',
)
end
end
describe 'when a client key is provided but not the CA' do
let :backend_tls do
{
'client_cert' => 'client cert',
'enabled' => true,
'client_key' =>'client key',
}
end

it 'throws an error' do
expect { rendered_config }.to raise_error(
RuntimeError,
'tcp_router.backend_tls.client_cert was specified, but tcp_router.backend_tls.ca_cert was not provided',
'tcp_router.backend_tls.enabled was set to true, but tcp_router.backend_tls.ca_cert was not provided',
)
end
end
describe 'when a client key is provided but not the CA' do
end
describe 'when a client key is provided but the CA is whitespace-only ' do
let :backend_tls do
{
'enabled' => true,
'client_key' =>'client key',
'ca_cert' => ' ',
}
end

it 'throws an error' do
expect { rendered_config }.to raise_error(
RuntimeError,
'tcp_router.backend_tls.client_key was specified, but tcp_router.backend_tls.ca_cert was not provided',
'tcp_router.backend_tls.enabled was set to true, but tcp_router.backend_tls.ca_cert was not provided',
)
end
end
end
end

Expand Down

0 comments on commit b501fc2

Please sign in to comment.